Store “password is ok” in php Session variable?

2020-03-26 06:36发布

Is it safe to store a password in a sessions variable?

For example, usage would be in a form which is submitted to itself.

For example a change classifieds page, where users first enter a password, and then if pass=ok, show the form to change the classified. All on same php-page.

But Whenever a picture is uploaded in the "change" part of the php page, the form must submit to itself again.

Should I here use the stores Session password to verify that the user is actually the user, and that it is secure?

In other words, is it safe to store something like this:

 if($pass==$row['password']){ // If password was correct
    $_SESSION['pass_ok']='1';
 }

Thanks

4条回答
狗以群分
2楼-- · 2020-03-26 07:01

Camran, what you are trying to do is a standard way to maintain php sessions. You are actually not storing the password in the session rather just storing the information that this particuar user has already logged in. $_SESSION['pass_ok']='1';

On every page you just have to do a session_start() and check of this session is already set to 1, if yes they assume him to be logged and proceeed, else redirect to login page.

If someone gets hold of the session id then they definitely can access the user session. You can do a few things to make it more secure.

  • Use SSl (https), it will make hard to sniff the data and get your session id
  • maintain the client ip in the session when user logs in, for every request after logging in, check if the requests are coming from same ip
  • Set a short session timeout, so that if left idle for a while the session times out automatically.
查看更多
劫难
3楼-- · 2020-03-26 07:05

I would advise against it. If someone logs in and copies the session ID down they can theoretically log in to any page. I would instead advise you check the password is okay on every page refresh as this will be more secure.

Additionally, always store passwords hashed in a database, or better yet, hashed with salts.

查看更多
我命由我不由天
4楼-- · 2020-03-26 07:09

Use a pre-built authentication system. That your best bet at being secure because they would have (or should have) thought of everything (security issue) already.

查看更多
Root(大扎)
5楼-- · 2020-03-26 07:11

What i do is,

  1. Check user logs in correctly
  2. Assign a session to username + userLOGGEDIN session
  3. When a page is clicked, my system searches the DB for username + userLOGGEDIN if its true then allows access to the page, but what it also does is, deletes the record its just searched for, and inserts a new record for the username + userLOGGEDIN with a different MD5 HASH. So hopefully it will be harder to crack.
查看更多
登录 后发表回答